report

Information Systems Audit Report 2019

Application controls audits

Introduction

Applications are software programs that facilitate an organisation’s key business processes including finance, human resources, case management, licensing and billing. Applications also facilitate specialist functions that are unique and essential to individual entities.

Each year we review a selection of important applications that entities rely on to deliver services. We focus on the key controls that ensure data is complete, and accurately captured, processed and maintained. Failings or weaknesses in these controls have the potential to affect other organisations and the public. Impacts range from delays in service and loss of information, to possible fraudulent activity and financial loss. Entities can use our better practice principles at Appendix 1 to help ensure any Software as a Service (SaaS) contracts include measures to mitigate risks and protect entity information.

Audit focus and scope

We reviewed key business applications at a number of state government entities. Each application is important to the operations of the entity and may affect stakeholders, including the public, if the application and related processes are not managed appropriately.

The 4 applications covered in this report are:

  1. Recruitment Advertisement Management System – Public Sector Commission
  2. Advanced Metering Infrastructure – Horizon Power
  3. Pensioner Rebate Scheme and Exchange – Office of State Revenue
  4. New Land Register – Western Australian Land Information Authority

Our application reviews focused on the systematic processing and handling of data in the following control categories:

  1. Policies and procedures – are appropriate and support reliable processing of information
  2. Security of sensitive information – controls exist to ensure integrity, confidentiality and availability of information at all times
  3. Data input – information entered is accurate, complete and authorised
  4. Backup and recovery – is appropriate and in place in the event of a disaster
  5. Data output – online or hard copy reports are accurate and complete
  6. Data processing – information is processed as intended, in an acceptable time
  7. Segregation of duties – no staff perform or can perform incompatible duties
  8. Audit trail – controls over transaction logs ensure history is accurate and complete
  9. Masterfile maintenance, interface controls, data preparation – controls over data preparation, collection and processing of source documents ensure information is accurate, complete and timely before the data reaches the application.

Our testing was a point in time assessment. We reviewed a sample of key controls and processes to obtain reasonable assurance that the applications worked as intended and that information they contained and reports were reliable, accessible and secure. Our testing may highlight weaknesses in control design or implementation that increase the risk that an application’s information may be susceptible to compromise. However, we do not design our tests to determine if information has been compromised.

Summary

The 4 applications we reviewed all had control weaknesses. Most related to policies and procedures, and poor information security. We also found weaknesses in controls aimed to ensure the applications function efficiently, effectively and remain available. We reported 37 findings across the 4 applications. Nine findings were rated as significant, 17 moderate and 11 minor.

Most of the issues we found are relatively simple and inexpensive to fix. Figure 1 shows the findings for each of the control categories and Figure 2 shows the findings for each of the 4 applications reviewed.

 
Page last updated: May 15, 2019

Back to Top